CVE-2025-23723: Plestar Directory Listing XSS Flaw

CVE-2025-23723 Overview

CVE-2025-23723 is a reflected Cross-Site Scripting (XSS) vulnerability in the Plestar Directory Listing WordPress plugin developed by hdw player. The flaw affects all plugin versions up to and including 1.0. The vulnerability stems from improper neutralization of user input during web page generation, mapped to [CWE-79]. Attackers can craft malicious URLs that, when clicked by an authenticated user, execute arbitrary JavaScript in the victim's browser session. The scope change in the CVSS vector indicates that successful exploitation impacts resources beyond the vulnerable component itself.

Critical Impact

Reflected XSS enables attackers to execute arbitrary script in a victim's browser, potentially leading to session theft, credential harvesting, or unauthorized actions performed as the WordPress administrator.

Affected Products

• Plestar Directory Listing WordPress plugin (plestar-directory-listing)
• All versions from initial release through 1.0
• WordPress installations using the hdw player Plestar Directory Listing extension

Discovery Timeline

• 2025-01-23 - CVE-2025-23723 published to NVD
• 2026-04-23 - Last updated in NVD database

Technical Details for CVE-2025-23723

Vulnerability Analysis

The Plestar Directory Listing plugin fails to sanitize user-supplied input before reflecting it in the HTTP response body. When a request parameter is echoed back to the page without proper encoding or filtering, an attacker can embed HTML and JavaScript payloads inside that parameter. The browser then parses the injected markup as part of the legitimate WordPress page and executes the attacker's script in the security context of the site.

Exploitation requires user interaction, typically through a phishing link or a malicious page that triggers a request to the vulnerable endpoint. The CVSS vector also signals a scope change, meaning the injected script can affect resources outside the plugin's logical boundary, such as the WordPress admin session or other plugins loaded on the same page.

Root Cause

The root cause is the absence of context-aware output encoding on parameters consumed by the plugin's request handlers. The plugin trusts request-supplied data and writes it directly into HTML output. WordPress provides sanitization helpers such as esc_html(), esc_attr(), and wp_kses(), but the affected code paths in version 1.0 do not apply them before rendering reflected values.

Attack Vector

An attacker delivers a crafted URL pointing to the vulnerable plugin endpoint. The URL contains a JavaScript payload in a reflected parameter. When a logged-in WordPress user, particularly an administrator, opens the link, the injected script runs with that user's privileges. The attacker can then read cookies that are not marked HttpOnly, perform CSRF-style actions against the admin dashboard, or exfiltrate page contents to a remote host.

The vulnerability does not require authentication on the attacker's side, but the impact scales with the privilege of the victim. Refer to the Patchstack XSS Vulnerability Advisory for additional context.

Detection Methods for CVE-2025-23723

Indicators of Compromise

• HTTP requests to plestar-directory-listing plugin endpoints containing <script>, javascript:, onerror=, or onload= substrings in query parameters
• Web server access logs showing URL-encoded payloads such as %3Cscript%3E targeting plugin routes
• Outbound browser requests to unfamiliar domains immediately after a user visits a plugin URL
• Unexpected administrative actions, new WordPress users, or modified plugin settings following an XSS lure

Detection Strategies

• Inspect WordPress access logs for plugin-related URLs containing HTML or JavaScript metacharacters in any GET or POST parameter
• Deploy a Web Application Firewall (WAF) rule that flags reflected payloads on /wp-content/plugins/plestar-directory-listing/ paths
• Correlate referrer headers from external domains with subsequent admin-area requests to identify phishing-driven exploitation
• Monitor Content Security Policy (CSP) violation reports for inline script execution attempts on WordPress pages

Monitoring Recommendations

• Enable verbose request logging on the WordPress reverse proxy or WAF with retention sufficient for incident review
• Alert on anomalous WordPress administrator session activity such as logins from new geolocations followed by configuration changes
• Track plugin file integrity to detect secondary payloads dropped after a successful XSS-driven account takeover

How to Mitigate CVE-2025-23723

Immediate Actions Required

• Disable or uninstall the Plestar Directory Listing plugin until a fixed version is released by the vendor
• Audit WordPress administrator accounts for unauthorized changes, new users, and unexpected plugin or theme modifications
• Force password resets and invalidate active sessions for all privileged WordPress users
• Apply a WAF rule that blocks requests containing script tags or JavaScript event handlers in parameters targeting the plugin

Patch Information

No vendor patch is referenced in the current NVD entry. The vulnerability affects all versions up to and including 1.0. Administrators should monitor the Patchstack XSS Vulnerability Advisory and the WordPress plugin repository for an updated release.

Workarounds

• Remove the plugin from production WordPress installations until an upstream fix is available
• Restrict access to WordPress administrative endpoints by IP allowlist to limit phishing exposure
• Deploy a strict Content Security Policy that disallows inline scripts and untrusted script sources
• Train administrators to avoid clicking unsolicited links pointing to their own WordPress domain

# Example WAF rule (ModSecurity) to block reflected XSS payloads targeting the plugin
SecRule REQUEST_URI "@contains /wp-content/plugins/plestar-directory-listing/" \
    "chain,deny,status:403,id:1002301,msg:'Blocked potential XSS against Plestar Directory Listing (CVE-2025-23723)'"
    SecRule ARGS "@rx (?i)(<script|javascript:|onerror=|onload=|<img[^>]+src)" "t:none,t:urlDecodeUni"